From ede9d961e6323b846bfe1f08c11adfd095f23baa Mon Sep 17 00:00:00 2001
From: jcaparas <macapara@microsoft.com>
Date: Thu, 2 Mar 2017 20:47:34 -0800
Subject: [PATCH] add sample python code update python topic

---
 windows/keep-secure/code/exampe.py            | 53 ++++++++++
 ...ows-defender-advanced-threat-protection.md | 97 +++++--------------
 2 files changed, 78 insertions(+), 72 deletions(-)
 create mode 100644 windows/keep-secure/code/exampe.py

diff --git a/windows/keep-secure/code/exampe.py b/windows/keep-secure/code/exampe.py
new file mode 100644
index 0000000000..7bf906738c
--- /dev/null
+++ b/windows/keep-secure/code/exampe.py
@@ -0,0 +1,53 @@
+import json
+import requests
+from pprint import pprint
+
+tenant_id="{your tenant ID}"
+client_id="{your client ID}"
+client_secret="{your client secret}"
+
+auth_url = "https://login.windows.net/{0}/oauth2/token".format(tenant_id)
+
+payload = {"resource": "https://graph.windows.net",
+           "client_id": client_id,
+           "client_secret": client_secret,
+           "grant_type": "client_credentials"}
+
+response = requests.post(auth_url, payload)
+token = json.loads(response.text)["access_token"]
+
+with requests.Session() as session:
+    session.headers = {
+        'Authorization': 'Bearer {}'.format(token),
+        'Content-Type': 'application/json',
+        'Accept': 'application/json'}
+
+    response = session.get("https://ti.securitycenter.windows.com/V1.0/AlertDefinitions")
+    pprint(json.loads(response.text))
+
+    alert_definition = {"Name": "The alert's name",
+                        "Severity": "Low",
+                        "InternalDescription": "An internal description of the alert",
+                        "Title": "The Title",
+                        "UxDescription": "Description of the alerts",
+                        "RecommendedAction": "The alert's recommended action",
+                        "Category": "Trojan",
+                        "Enabled": True}
+
+    response = session.post(
+        "https://ti.securitycenter.windows.com/V1.0/AlertDefinitions",
+        json=alert_definition)
+
+    alert_definition_id = json.loads(response.text)["Id"]
+
+    ioc = {'Type': "Sha1",
+           'Value': "dead1111eeaabbccddeeaabbccddee11ffffffff",
+           'DetectionFunction': "Equals",
+           'Enabled': True,
+           "AlertDefinition@odata.bind": "AlertDefinitions({0})".format(alert_definition_id)}
+
+    response = session.post(
+        "https://ti.securitycenter.windows.com/V1.0/IndicatorsOfCompromise",
+        json=ioc)
+
+    pprint(json.loads(response.text))
diff --git a/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md b/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md
index 4b482cc066..e3414a7cb8 100644
--- a/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md
@@ -27,95 +27,48 @@ localizationpriority: high
 You must [install](http://docs.python-requests.org/en/master/user/install/#install) the "[requests](http://docs.python-requests.org/en/master/)" python library.
 
 These code examples demonstrate the following tasks:
-- [Obtain an Azure AD access token](#obtain-an-azure-ad-access-token)
-- [Create request session object](#create-a-request's-session-object)
-- [Create calls to the custom threat intelligence API](#create-calls-to-the-custom-threat-intelligence-api)
-- [Create a new alert definition](#create-a-new-alert-definition)
-- [Create a new indicator of compromise](#create-a-new-indicator-of-compromise)
+- [Obtain an Azure AD access token](#token)
+- [Create request session object](#session-object)
+- [Create calls to the custom threat intelligence API](#calls)
+- [Create a new alert definition](#alert-definition)
+- [Create a new indicator of compromise](#ioc)
 
-## Obtain an Azure AD access token
+<span id="token" />
+## Step 1: Obtain an Azure AD access token
 The following example demonstrates how to obtain an Azure AD access token that you can use to call methods in the custom threat intelligence API. After you obtain a token, you have 60 minutes to use this token in calls to the custom threat intelligence API before the token expires. After the token expires, you can generate a new token.
 
 Replace the *tenant\_id*, *client_id*, and *client_secret* values with the ones you got from **Preferences settings** page in the portal:
 
-```
-
-import json
-import requests
-from pprint import pprint
-
-tenant_id="{your tenant ID}"
-client_id="{your client ID"
-client_secret="{your client secret}"
-
-full_auth_url = r"https://login.windows.net/{0}/oauth2/token".format(tenant_id)
-
-payload = {"resource": "https://graph.windows.net",
-           "client_id": client_id,
-           "client_secret": client_secret,
-           "grant_type": "client_credentials"}
+[!code[CustomTIAPI](./code/example.py1#L1-L17)]
 
 
-response = requests.post(full_auth_url, payload)
-token = json.loads(response.text)["access_token"]
-```
-
-## Create request session object
+<span id="session-object" />
+## Step 2: Create request session object
 Add HTTP headers to the session object, including the Authorization header with the token that was obtained.
 
-```
-with requests.Session() as session:
-    session.headers = {
-        'Authorization': 'Bearer {}'.format(token),
-        'Content-Type': 'application/json',
-        'Accept': 'application/json'}
-```
+[!code[CustomTIAPI](./code/example.py1#L19-L23)]
 
-## Create calls to the custom threat intelligence API
-The following example shows how to view all of the alert definition entities by creating a call to the API.
+<span id="calls" />
+## Step 3: Create calls to the custom threat intelligence API
+After adding HTTP headers to the session object, you can now create calls to the API. The following example demonstrates how you can view all the alert definition entities:
 
->[!NOTE]
-> All code is still within the ```with``` statement with the same indention level.
-
-```json
-
-response = session.get("https://ti.securitycenter.windows.com/V1.0/AlertDefinitions")
-pprint(json.loads(response.text))
-```
+[!code[CustomTIAPI](./code/example.py1#L25-L26)]
 
 If this is the first time to use the API, the response is empty.
 
-## Create a new alert definition
+<span id="alert-definition" />
+## Step 4: Create a new alert definition
 The following example shows how to create a new alert definition.
 
-```
+[!code[CustomTIAPI](./code/example.py1#L28-L39)]
 
-alert_definition = {"Name": "The Alert's Name",
-                    "Severity": "Low",
-                    "InternalDescription": "An internal description of the Alert",
-                    "Title": "The Title",
-                    "UxDescription": "Description of the alerts",
-                    "RecommendedAction": "The alert's recommended action",
-                    "Category": "Trojan",
-                    "Enabled": True}
+<span id="ioc" />
+## Step 5: Create a new indicator of compromise
+You can now use the alert ID obtained from creating a new alert definition to create a new indicator of compromise.
 
-response = session.post(
-    "https://ti.securitycenter.windows.com/V1.0/AlertDefinitions",
-    json=alert_definition)
-```
+[!code[CustomTIAPI](./code/example.py1#L41-L51)]
 
-## Create a new indicator of compromise
-The following example shows how to use the alert ID obtained from creating a new alert definition to create a new indicator of compromise.
+## Complete code
+You can use the complete code to create calls to the API.
 
-```
-alert_definition_id = json.loads(response.text)["Id"]
-    ioc = {'Type': "Sha1",
-           'Value': "dead1111eeaabbccddeeaabbccddee11ffffffff",
-           'DetectionFunction': "Equals",
-           'Enabled': True,
-           "AlertDefinition@odata.bind": "AlertDefinitions({0})".format(alert_definition_id)}
-
-    response = session.post(
-        "https://ti.securitycenter.windows.com/V1.0/IndicatorsOfCompromise",
-        json=ioc)
-```
+[!code[CustomTIAPI](./code/example.py1#L1-L51)]